mscz-files in Office365 detected as JAR-filetype

• Feb 11, 2020 - 14:03

Hello,
As a University of Arts in the Netherlands our docents and students often use musescore.
We use Office365 (Exchange Online) as our E-mail provider with default malware protection.
Unfortunately your mscz-files are detected as JAR-filetype and striped of mails.
I found something of a workaround in one of your fora, but is there a structural solution without weaken our security.


Comments

In reply to by Jojo-Schmitz

As you know, mscx cannot be set as default format, so that using it is indeed a workaround. It disturbs the flow of exchange. By the way, like Heiko I work at ArtEZ University of the arts. Students forget to convert; it puts them off using MuseScore. What we are wondering is why this is not a common problem. As you say, mscz is JAR-like. Yet we seem to be only the second case (?) of Office365 rejecting mscz.

In reply to by rvdhart

the .mscz format (as well as the .mxl format) is a ZIP archive, just like .jar.

We're using Office 355 at work too, yet I have no issues with .mscz attachments (neither with .jar as far as I can tell), but I do remember that once upon a time (some years ago) we had problems with compressed files having been flagged and even removed as being potentially dangerous, so you may need to talk to your E_Mail provider to relax the rules reg. dangerous attachments. There's nothing MuseScore could do to fix this.

In reply to by Jojo-Schmitz

We are using Office365 protection to handle spam and malware.
The list of filetypes for filetype-filters includes JAR as default.
To prevent us from malware we leave that setting.

As far as I know and tested not the name of the extention is checked, but if the signature is of this type.
So this filetype "mscz" is a configuration Microsoft states to be of a Jar-filetype classification.
I cannot make another exclusion if I want to keep the regular protection.

So or our customers (students and teacher of a main conservatory in the Netherlands) will use a workaround with frustrations or musescore is taking action.

In reply to by hlentfer

.mscz is a ZIP archive, same as .jar. You'd have the same issue with cimpressed MusicXML, .mxl, which too is a ZIP tformat. You might get your students to exchange .mscx files instead (plain text, XML like).

As long as you don't look into the content of those archives, there's no other way.

In reply to by rvdhart

It definitely seems a failure of the email provider. Sure, MSCZ is a ZIP-type file, but so is ZIP itself, and so are a whole bunch of other formats. Does the email program similarly disallow other ZIP archives? Actually, whether the answer is yes or no, it's a problem that needs to be reported to them so they can solve it. All ZIP files are not JAR archives, and certainly an MSCZ ile is not. So whatever is causing them to think it is, they need to get smarter about it.

In reply to by hlentfer

What change specifically do you think should be made? As far as I can tell, the file is a plain ordinary ZIP file;l only Office365 seems to make the error of interpreting it as a JAR file, presumably because it happens to contains a filename it knows JAR files also happen to contain. But this file isn't unique to JAR at all, it's actually a pretty standard part of other ZIP-based formats as well. As far as I can tell, that's a bug in Office365 - it is erroneously identifying all archives containing this filename as JAR files, rather than being smarter about the detection. The bug should be reported to Microsoft.

In reply to by hlentfer

Yes, apparently they do. And they apparently don't for everyone, as we're using Office 365 at work too, and do not have such issues (anymore, I do remember having had similar issues a while ago).

A ZIP archive is not malware, per se, it's content might, but even then a .jar file unlikely is.

"Don't judge a book by its cover" ;-)

The MuseScore developers simply cannot offer a solution here without breaking compaitibility for another million users!

But one possible solution has been outlined above several times: use .mscx as the format to exchange scores.
But here's another: use a cloud service (like OneDrive, also Microsoft) and just send links to that.
Or use 'Save online' and use musescore.com for that. Now that the 5-scores limit has vanished, Pro accounts are needed anymore (for that puirpose)

In reply to by Jojo-Schmitz

Playing the devil's advocate, code itself is not necessarily malware, but trying to eliminate mailing of code is par for the course for such filters. "Don't judge a book by its cover" is a fair aphorism for discouraging prejudice against human beings, but files enjoy no such rights: overkill is the name of the game. Yes, it's pathetic, in the Machiavellian way in which it is consequent to a humanity that still begets cheats and villains.

In reply to by BSG

Apparently prejudice is not just something humans do, but as seen here also software.
Yes, a .exe, or a .reg should certainly not pass though via email. Maybe a .jar neither. But a zip archive should, even it it contains a .exe, .jar or .reg file. It is up to the user to tell whether it is dangarous. Send to a real scanner, looking for fingerprints if malicous code.

We've been sending .exe files via email, renaming them to .eze and telling the recipient to rename them back ;-)
No scanner alarmed anyone...

In reply to by hlentfer

Yes, it would appear from what you are saying that Microsoft's filter is poorly designed, misidentifying files as JAR that are not. Bugs happen to everyone, Microsoft included, this would hardly be the first, or even the 1000th, probably not even the 1,000,000th. They are used to people reporting bugs agaisnt their software, and in fact, they do often even fix them once reported.

So, to be clear: we are offering a solution: the solution is to report the bug to Microsoft. Again, as far as anyone has been able to demonstrate, the ZIP file format is completely standard and should not in any way be problematic, without of without a manifest file. Every single program on earth seems to know this except, apparently, Office365, which is being far too conservative here, resulting in false positives that they should absolutely be able to address once the problem is reported to them.

In reply to by rvdhart

Lot of the discussion is about confusing MuseScore files with jar.
But... is it really so? Or was it just an hypothesis of the o365 admin?
Can we see some kind of log or messages that really show the confusion with jar to be able to identify the true reason why is it so?
And could you also manually write a basic XML file with notepad (a tiny one with just some XML tags), zip it, and send the result by email.
Do you have the same issue or not with that manually zipped XML or not?

It is unclear to me that there really is a discernible difference between an MSCZ and JAR file whose contents are an MSCX, images, and so forth. Both have META-INFO folder with an XML manifest, etc. It seems clear to me that the mscz format was deliberately designed to exploit JAR structure as much as possible because of the desire to use extant standards and formats rather than inventing new ones, without prescience that one day "NO JAR FILES, DOGS, OR FIREWORKS ALLOWED" might come to pass. This may not be easy to fix on the Microsoft side.

Not all executables are malware, but all executables are banned from all email because some are.

In reply to by BSG

So they do seem to look at the content, but still detecting mscz as jar, regadeless that only the latter would contain .class files (and only those contain code, that might or might not be malicious)? Seems an easy error to correct for Microsoft or the Office 365 provider

In reply to by BSG

That is, there are surely differences in the MANIFEST between a jar file containing java code and MuseScore's. However, Microsoft cannot know about each vendor who uses a JAR-like format. Careful test for the validity of a JAR file suspected of being malware is no way to write defense code. Remember the old Woody Allen movie where his character goes into a bank and passes the teller a threatening note ,,...the teller says, "it doesn't say GUN, it says GUB.", etc.?

In reply to by frfancha

That may be its origin, thank you, but it is often applied to situations where important differences are papered over by those not interested in discerning them, specifically is situations where a "negative judgment" or penalty is being applied. I don't want to bring up real-world examples, because they are all ipso facto politically sensitive. The factions and sub-sects and even major divisions of the hated group are rarely important to the hater.

In reply to by BSG

As much as I like and use Microsoft Office, I have stayed away from Outlook and their other email program. Too locked down. Which is probably why business and schools like them so much. I doubt that they will change anything. The OP and group might consider almost any other email.

Do you still have an unanswered question? Please log in first to post your question.